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creates a plurality of authenticators (4) by applying a different 
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(54) Authentication of electronic data 



(57) The authentication system has a signing station 
and a certifying station. The signing station divides the 
data to be transmitted into a plurality of blocks of data, 
a hash unit (2) creates a plurality of authenticators (4) 
by applying a different one-way function to each block. 
In the certifying station, a separating unit (7) divides the 



data into blocks, a hash unit (2) creates a plurality of 
authenticators (4) by applying a different one-way func- 
tion to each block, and a comparing unit (8) compares 
the authenticators prepared anew with the authentica- 
tors separated from the received data and checks the 
authentication of the data from the comparison. 
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Description 

[0001] The present invention relates to an authentica- 
tion system, an authentication method, a signing appa- 
ratus/method, a certifying apparatus/method, a soft- 
ware program and a recording medium for the same for 
creating an authenticator by applying a one-way func- 
tion to electronic data, appending a signature to the 
electronic data and checking authentication of the elec- 
tronic data using the authenticator. The invention more 
particularly relates to prevention of forgery of the au- 
thenticator. 

[0002] In association with recent development in the 
computer technology, there has increased an opportu- 
nity to accumulate electronic data such as a document 
prepared with characters, numerals, and strings of sym- 
bols in a database, or to transfer the data via a network. 
Considering these facts, how to avoid forgery of elec- 
tronic data accumulated in a database or forgery of data 
during data communications has become a serious 
problem. 

[0003] For solving the problem, there has been known 
an authentication technology in which an authenticator 
created by applying a one-way function to electronic da- 
ta is appended thereto when the electronic data is trans- 
mitted and whether transmitted data is forged or not is 
verified using this authenticator when the electronic data 
is received. 

[0004] More specifically, a station which transmits the 
electronic data (signing station) divides the electronic 
data into specified blocks, subjects the data to a signa- 
ture processing by applying a one-way function such as 
a hash function to each of the divided data blocks, and 
transmits the data obtained through the processing to a 
distant station (certifying station). White a station which 
receives the electronic data creates an authenticator by 
applying a one-way function to a portion of the data other 
than the authenticator in the received electronic data, 
compares the created authenticator with the authenti- 
cator included in the electronic data, and verifies wheth- 
er the electronic data has been forged or not. 
[0005] However, even if the conventional technology 
described above is used, forgery of or tampering of elec- 
tronic data can not possibly be verified if the portion of 
the authenticator itself is forged, namely if the signature 
is forged. Therefore, prevention of forgery of the signa- 
ture becomes an issue that need to be resolved. 
[0006] When a hash function is used, for example, it 
is possible to make more difficult to forgery of electronic 
data by making longer a processed block length of the 
hash function. However, it is not realistic to make the 
processed block length of the hash function extraordi- 
narily long. 

[0007] Especially, a conventional type of hash func- 
tion is formed not based on an organized structural 
method but based on, in many cases, an empirical or 
an intuitive method obtained by combining a logical op- 
eration such as AND and OR with four rule of arithmetic 



in a complex manner. Therefore, enormous man power 
is required for experiments or the like when the block 
length of the hash function is to be increased. 
[0008] Aspects of the present invention may provide, 
5 in view of the problem described above, an authentica- 
tion system, an authentication method, a signing appa- 
ratus, a signing method, a certifying apparatus/method, 
a software program and a recording medium for the 
same which can efficiently prevent the forgery of the au- 
thenticator, when checking the authentication of the 
electronic data from an authenticator created using a 
one-way function. 

[0009] In one aspect of the invention, a signing station 
creates a plurality of authenticators using a plurality of 
one-way functions then and links these plurality of au- 
thenticators to the electronic data, so that the length of 
the authenticators to be appended to the information 
can easily be made longer, which makes it possible to 
reduce a probability of mis identification of a forged au- 
thenticator. 

[0010] The whole authenticator is not linked to the in- 
formation, but only a portion of data obtained by trun- 
cating each of the authenticator is linked, which makes 
it more difficult for a third party to forge the authenticator. 
[0011] Aone-wayoperation is performed with the data 
using a different key, so that the length of the authenti- 
cators to be appended to the information can be made 
longer without utilizing a special one-way operation. 
[0012] Authenticators can be discretely and inde- 
pendently prepared in parallel with each other, so that 
a plurality of authenticators can quickly be prepared. 
[0013] Alternatively, an authenticator is prepared by 
utilizing intermediate data generated when a previous 
authenticator is created, so that generation of the au- 
thenticator is made more complicated, which makes it 
still difficult for a third party to forge the authenticator. 
[001 4] A signing station executes a step of preparing 
a plurality of authenticators by applying a different one- 
way function to each data, and a step of linking the cre- 
ated authenticators to the information, so that the length 
of the authenticators to be appended to the information 
can easily be made longer, which makes it possible to 
reduce a probability of misidentification of a forged au- 
thenticator. 

[0015] In a method of the invention, there is a step of 
not linking the created whole authenticators to the infor- 
mation but linking only a portion of the data obtained by 
truncating each of the authenticators, which makes it 
more difficult for a third party to forge the authenticators. 
[001 6] Also, there is a step of performing a one-way 
operation with the data using a different key, so that the 
length of the authenticators to be appended to the infor- 
mation can be made longer without utilizing a special 
one-way operation. 

[001 7] Optionally, there are steps of discretely and in- 
dependently creating the authenticators in parallel with 
each other, so that a plurality of authenticators can 
quickly be created. 
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[0018] As an alternative, there is a step of preparing 
the authenticates by utilizing an intermediate data gen- 
erated when another authenticator is created, so that 
creation of the authenticator is made more complicated, 
which makes it still difficult for a third party to forge the 
authenticator. 

[0019] In another aspect of the invention, a program 
stored in a recording medium makes a signing station 
execute a step of creating a plurality of authenticators 
by applying a different one-way function to each data, 
and a step of linking the created authenticators to the 
information, so that the length of the authenticators to 
be appended to the information can easily be made 
longer, which makes it possible to reduce a probability 
of mis identification of the forged authenticator. 
[0020] Reference is made, by way of example, to the 
accompanying drawings in which: 

Fig. 1 shows a system configuration of the authen- 
tication system used in an embodiment of the 
present invention; 

Fig. 2A and Fig. 2B show more specific configura- 
tions (independent and multi-parallel configuration) 
of the authentication system shown in Fig. 1 ; 
Fig. 3A and Fig. 3B show a case where the authen- 
tication system shown in Fig. 1 operates independ- 
ently in three parallel branches; 
Fig. 4A shows configuration and Fig. 4B shows op- 
eration when the hash units 2 perform parallel 
processing in association with each other; 
Fig. 5 is a view showing one example of a document 
as an object for processing; and 
Fig. 6A and Fig. 6B explain the safety in the authen- 
tication system used in the embodiment. 

[0021] Detailed description is made hereinafter of a 
preferred embodiment of the present invention with ref- 
erence to Fig. 1 to Fig. 6. It should be noted that this 
embodiment explains a case in which text data included 
in a document is the target data and an authenticator is 
created by applying a hash function to this target data. 
[0022] Fig. 1 is a block diagram showing system con- 
figuration of the authentication system used in the em- 
bodiment of the present invention. In the left-hand side 
of Fig. 1 is a signature side (a signing station) which cre- 
ates an authenticator by applying a hash function to the 
text data and links this authenticator to the text data be- 
fore transmission. In the right-hand side of Fig. 1 is an 
authentication side (a certifying station) which creates 
an authenticator by applying a hash function to the data 
obtained by removing the authenticator from the re- 
ceived data, comparing the created authenticator with 
the authenticator included in the received data to check 
the correctness of the text data. Although it is assumed 
in this embodiment that a communication error will not 
occur in the process of transmission of data from the 
signing station to the certifying station. However, occur- 
rence of error may be prevented by using an error-cor- 



rection code or the like in some other cases. 
[0023] At first, configuration of the signing station is 
described. As shown in Fig. 1 , the signing station com- 
prises a plurality of hash units 2 and keys 3, and a linking 
5 unit 5, and it is assumed that data 1 is input to this sign- 
ing station. 

[0024] The data 1 is text data as an object for trans- 
mission to the certifying station and consists of a plural- 
ity of data D1 to Dn obtained by dividing the data into 
10 data blocks of a size corresponding to a data length for 
a hash function. This data 1 is text data which contains 
numerals, characters, or symbols included in a docu- 
ment shown in Fig. 5, and, for example, "The present 
invention" shown in Fig. 5 corresponds to data D1 . 
[0025] The hash units 2 have one-way functions for 
converting the data D1 to Dn using keys K1 to Kn to 
authentication signs CS1 to CSn respectively, and they 
output the converted authentication signs CS1 to CSn 
to the linking unit 5. Although it is assumed that the hash 
units 2 perform processing corresponding to a known 
hash function in a protocol or the like for a method of 
verifying authentication signs based on the conventional 
technology, it is not always required that reverse con- 
version is ensured. 

[0026] The keys 3 are the secret keys used when the 
hash units 2 perform scrambling of one-way data com- 
pression, and authentication signs 4 are prepared by the 
hash units 2 according to the keys K1 to Kn. 
[0027] The linking unit 5 links the authenticators 4 cre- 
ated by the hash units 2 to data D1 to Dn that should 
originally be transmitted, and the linked authenticators 
4 are appended, for example, to the end of the document 
as shown in Fig. 5. 

[0028] Next, configuration of the certifying station is 
described. As shown in Fig. 1 , the certifying station com- 
prises a separating unit 7, a plurality of hash units 2 and 
keys 3, and a comparing unit 8, and data received from 
the signing station is input to the certifying station. 
[0029] The separating unit 7 separates the data re- 
ceived from the signing station into data DV to Dn' and 
the authentication signs 4. The data DV to Dn' is input- 
ted into the hash units 2, while the authenticators 4 are 
inputted into the comparing unit 8. 
[0030] The comparing unit 8 compares the authenti- 
cation signs separated from the received data with the 
authenticators created from the data DV to Dn'. The 
comparing unit 8 certifies that the data is authentic when 
the authenticators are coincident with each other, and 
certifies that the data is forged one when the authenti- 
cators are not coincident. 

[0031] As described above, the authentication system 
according to this embodiment is so configured that a 
signing station prepares a plurality of authenticators 
CS1 to CSn using a plurality of hash units, so that a data 
length of authenticators can be made longer, which 
makes it difficult to forge the authenticator by a third par- 
ty. 

[0032] A sequence of processing by the signing sta- 
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tion and the certifying station of the authentication sys- 
tem shown in Fig. 1 is described below. 

(1) Creation of authenticators in the signature station: 
[0033] 

(1-1) The hash units 2 create CS1 to CSn each as 
the authenticators 4 by performing the processing 
of a one-way function using a key for each of input 
data D1 to Dn respectively into which the text data 
has been divided. 

(1-2) The linking unit 5 links the authenticators CS1 
to CSn created by the hash units 2 to the data D1 
to Dn. As a result, for example, authenticators of 8 
digits each consisting of 4 bits are appended, for 
example, to the end of the text as shown in the doc- 
ument of Fig, 5. 

[0034] As described above, authenticators are creat- 
ed with a different key for each of the data D1 to Dn into 
which the text data has been divided, which makes it 
extremely difficult for a third party to forge the authenti- 
cator, thus reliability of text data being enhanced. 

(2) Creation of authenticators in the certifying station: 
[0035] 

(2-1) The document shown in Fig. 5 prepared in the 
above step (1) is separated into the authenticators 
CS1 to Cn and data DV to Dn' (data blocks). 
(2-2) The hash units 2 create CSV to CSn* as the 
authenticators 4 for the separated data DV to Dn' 
respectively by using a different key. 
(2-3) The created authenticators CSV to CSn* are 
compared with the separated authenticators CS1 to 
CSn, and whether the authenticators are coincident 
with each other or not is determined. When the au- 
thenticators are coincident, then the text data is rec- 
ognized as not being forged, namely as an authen- 
tic one. On the other hand, when even a single au- 
thenticator is not coincident, then the text data is 
recognized as being a forged one. 

[0036] As described above, the certifying station cre- 
ates authenticators CSV to CSn* each with a different 
key for each of the data DV to Dn* separated from re- 
ceived data, compares the created authenticators CS1 ' 
to CSn' with the authenticators CS1 to CSn which are 
separated from the received data, determines the text 
data as an authentic one when it is determined that all 
the authenticators are coincident with each other, on the 
other hand, determines the text data as a forged one 
when even one authenticator is not coincident. 
[0037] More specific configuration (independent and 
multi-parallel configuration) of the authentication sys- 
tem shown in Fig. 1 is described. Fig. 2 is a block dia- 



gram showing more specific configuration (independent 
and multi-parallel configuration) of the authentication 
system shown in Fig. 1. Herein a case is assumed in 
which authenticators CS1 to CSn are created concur- 
s rently as well as in parallel from each of the input data 
D1 to Dn by using a different key. 
[0038] Fig. 2A shows configuration of the authentica- 
tion system, and in Fig. 2A, input data D1 to Dn is data 
D1 to Dn into which the text data as an object for trans- 
it mission is divided. The hash units 2 create the authen- 
ticators CS using the keys K. More specifically, each of 
the hash units 2 consists of an EOR 21 , a one-way func- 
tion 22 such as a hash function, and a truncator 23. 
[0039] The EOR 21 executes an operation of an ex- 
is elusive OR, and operates herein an exclusive OR be- 
tween the input data and a value obtained in the one- 
way function 22 in the previous time (an initial value IV 
is used for the first time). 

[0040] The one-way function (corresponds to a one- 
20 way function device) 22 creates an irreversible authen- 
ticator CS with the help of the one-way function from the 
data processed in the EOR 21 based on the key K. 
[0041] The truncator 23 truncates the authenticator 
CS prepared by the one-way function 22 and outputs 
25 the truncated authenticator. When the authenticator cre- 
ated by the one-way function 22 is out putted as it is, 
data length of the authenticator is naturally increased. 
However, an increase in the data length of the authen- 
ticator CS does not increase the safety of data but mere- 
30 |y increases the amount of data to be transmitted. 
[0042] Therefore, the truncator 23 truncates a portion 
of the authenticator created by the one-way function 22 
so that increase in a data length of the authenticator CS 
is made really useful. Even if the authenticator is trun- 
ks cated, a symbol space same as that in the case where 
the authenticator are transmitted without being truncat- 
ed is formed, therefore, security of data is not possibly 
reduced. Further, the security surely increases due to 
the truncation, because a third party will not know where 
40 the authenticator is truncated. 

[0043] Output data (D1 to Dn, CS1 to CSn) is ob- 
tained, as shown in Fig. 5, by linking the created authen- 
ticators CS1 to CSn to input data D1 to Dn. 
[0044] Fig. 2B shows how the authenticator CS is 
45 generated, and a portion of the left of Fig. 2B shows es- 
pecially how the authenticator CS1 is generated. 
[0045] In the left portion in Fig. 2B, 

Q)'l V = Public constant" indicates that a public con- 
50 stant is set as the initial value IV which is inputted 
into the EOR 21 forming a part of the hash unit 2 in 
the far left side of Fig. 2A. 

©'EK1 [I V(+)D1]=L11" indicates that the EOR 21 in 
Fig. 2A operates an exclusive OR between the ini- 
55 tial value IV set inQand the input data D1 , and that 
the one-way function 22 performs a one-way oper- 
ation (e.g., an operation by a hash function) with re- 
spect to the value obtained by operating the exclu- 
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sive OR using the key K1 to obtain a value L11. 
<3>"EK1[L11 (+)D2]=L12' indicates that the EOR 21 
in Fig. 2 A operates an exclusive OR between the 
value L11 obtained in ©and the second input data 
D2, and that the one-way function 22 performs a 
one-way operation (e.g., an operation by a hash 
function) with respect to the value obtained by op- 
erating the exclusive OR using the key K1 to obtain 
a value L12. 

©■EKIfLlfn-IK+JDnKIn 0 indicates that the EOR 
21 in Fig. 2A operates, similarly as described 
above, an exclusive OR between the previously ob- 
tained value L1 (n-1 ) and n-th data Dn, and that the 
one-way function 22 performs a one-way operation 
(e.g., an operation by a hash function) with respect 
to the value obtained by operating the exclusive OR 
using the key K1 to obtain a value L1n. 
©Tr[L1n]=CS1 " indicates that, when the operation 
is performed with respect to the last i.e. the n-th data 
Dn, a result of the last operation is outputted as the 
authenticator CS1 . 

[0046] Thus, the authenticator CS1 can be created by 
using the key 1 and initial value IV through the sequence 
of G) to ©described above. 

[0047] The central and the right portions of Fig. 2B 
respectively show, similarly to the sequence ofQ to© 
in the left portion, sequence of computing the authenti- 
cators CS2 and CS3 respectively. By repeating the 
same operation, authenticators up to CSn can also be 
computed. 

[0048] As described above, it is possible to concur- 
rently compute authentication signs CS1 to CSn by us- 
ing the keys K1 to Kn independently in n parallel branch- 
es. Herein, a forgery probability per CSn is 1/2 n P (where 
p is a bit length of the authentication sign). This forgery 
probability can be reduced by increasing a number of 
authenticators CS. Even if a number of authenticators 
CS is increased, because the processing is in parallel, 
a time required for the processing does not change. 
[0049] Next, a configuration as well as an operation 
is described when n=3 (independent triple-parallel con- 
figuration) in Fig. 2A and Fig. 2B with reference to Fig. 
3A and Fig. 3B. Fig. 3A is a view showing a case where 
the authentication system shown in Fig. 1 operates in- 
dependently in three parallel branches. 
[0050] Fig. 3A shows configuration of a case where n 
in Fig. 2 A is set to 3. The same reference numerals as 
those in Fig. 2A are assigned to the hash units 2, the 
EOR21 , the one-way function 22, and the truncator 23, 
and detailed description thereof is omitted herein. 
[0051] Fig. 3B shows how the authenticators CS1 to 
CS3 are generated in the hash units 2. Especially, the 
left portion of Fig. 3B shows a sequence of processing 
when the authenticator CS1 is created from the input 
data D1 to D3, the key K1 , and initial value IV shown in 
Fig. 3A. 

[0052] In the left portion in Fig. 3B, 



©• "IV = Public constant" indicates that a public con- 
stant is set as the initial value IV which is inputted 
into the EOR 21 in the first hash unit 2 from the left 
side of Fig. 3A. 
s ©' "EK1[IV(+)D1]=L11" indicates that the EOR 21 
in Fig. 3A operates an exclusive OR between the 
initial value IV set in©' and the first input data D1 , 
and that the one-way function 22 performs a one- 
way operation (e.g., an operation by a hash func- 
tion) with respect to the value obtained by operating 
the exclusive OR using the key K1 to obtain a value 
L11. 

©' "EK1 [L1 1 (+)D2]=L1 2" indicates that the EOR 21 
in Fig. 3A operates an exclusive OR between the 
value L11 obtained in®' and the second input data 
D2, and that the one-way function 22 performs a 
one-way operation (e.g., an operation by a hash 
function) with respect to the value obtained by op- 
erating the exclusive OR using the key K1 to obtain 
a value L12. 

® ' "EK1 [L1 2(+)D3]=L1 3" indicates that the EOR 21 
in Fig. 3A operates, similarly as described above, 
an exclusive OR between the previously obtained 
value L12 and 3rd data D3, and that the one-way 
function 22 performs a one-way operation (e.g., an 
operation by a hash function) with respect to the val- 
ue obtained by operating the exclusive OR using 
the key K1 to obtain a value L1n. 
©' "Tr[L13]=CS1' indicates that, when the opera- 
tion is performed with respect to the last i.e. 3rd data 
D3, a result of the 3rd operation is outputted as the 
authenticator CS1. 

[0053] The central portion and the right portion of Fig. 
3B respectively show, similarly to the sequence ofQ)' to 
©' in left portion, sequence of computing authenticators 
CS2 and CS3. 

[0054] Through the above mentioned sequence ofQ)' 
to®', it is possible to concurrently and independently 
compute authenticators CS1 to CS3 by using the keys 
K1 to K3 respectively. 

[0055] A case has been explained above in which the 
hash units 2 perform parallel processing in three branch- 
es concurrently and independently. However, the 
present invention is not limited to this and it may be ap- 
plied to a case in which the hash units 2 perform parallel 
processing in association with each other and not con- 
currently. 

[0056] The case in which the hash units 2 perform par- 
allel processing in association with each other is ex- 
plained here. Fig. 4A shows configuration and Fig. 4B 
shows operation when hash units 2 perform parallel 
processing in association with each other. More specif- 
ically, these figures show a case in which n is set to 3 
and intermediate data in a previous stage is used as an 
initial value in the next stage. 

[0057] Fig. 4A shows configuration of a case where n 
is set to 3 and intermediate data in a previous stage is 
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used as the initial value in the next stage. The same ref- 
erence numerals as those in Fig. 2A are assigned to the 
hash units 2, the EOR 21 , the one-way function 22, and 
the truncator 23, and detailed description thereof is omit- 
ted herein. 

[0058] This case is different from the case shown in 
Fig. 3A in that the initial value IV is set according to the 
intermediate data generated in other hash unit 2. The 
hash units 2 are so configured that as the initial value 
IV, intermediate data generated in other hash unit 2 is 
substituted. This configuration allows the authenticator 
CS to become more complicated, therefore, security is 
highly enhanced. 

[0059] Fig. 4B shows how the authenticators CS1 to 
CS3 are generated in the hash units 2. Especially, the 
left portion of this figure shows a sequence of computing 
the authenticator CS1 in the hash unit 2 shown in the 
far left side of Fig. 4A. It should be noted that, the au- 
thenticator CS1 is computed through the same se- 
quence as that fromO 1 to©' of the left portion in Fig. 
3B, therefore, intermediate data generated in other hash 
unit 2 is not used. 

[0060] The central portion in Fig. 4B shows a se- 
quence of computing the authenticator CS2 in the hash 
unit 2 second from the left side in Fig. 4A. Herein, the 
authenticator CS2 is computed by using an intermediate 
result (L12) shown by arrow©obtained in the previous 
stage as the initial value through the same sequence as 
that from®' to©' shown in the left portion of Fig. 3B. 
Namely, in this second hash unit 2, the intermediate data 
obtained in the first hash unit 2 is used. 
[0061] The left portion of Fig. 4B shows a sequence 
of computing the authenticator CS3 in the hash unit 2 
third from the left side in Fig. 4A. Herein, the authenti- 
cator CS3 is computed by using an intermediate result 
(L22) shown by arrow@obtained in the previous stage 
as the initial value through the same sequence as that 
from®* to©' shown in the left portion of Fig. 3B. Name- 
ly, in this third hash unit 2, the intermediate data ob- 
tained in the second hash unit 2 is used. 
[0062] Through the above mentioned sequence, the 
hash units 2 are configured so as not to independently 
compute the authenticators CS1 to CS3 but to compute 
them in association with each other. This configuration 
allows a sequence of creation of the authenticators CS 1 
to CS3 to become more complicated, therefore, it be- 
comes more difficult for a third party to forge the text 
data. 

[0063] Fig. 6A and Fig. 6B are conceptual views for 
explaining safety of the authentication system used in 
this embodiment. Fig. 6A shows the concept of the 
present invention while Fig. 6B shows the concept of the 
conventional technology. 

[0064] In Fig. 6B, a text space M is a virtual space 
possibly occupied by the text as an object to be forged, 
and the authenticator space is a virtual space possibly 
occupied by the authenticator. When the text space M 
corresponds to the authenticator space one to one, it 



becomes necessary to increase the block length of the 
authenticator in order to make smaller a forged text 
space M2 on the text space M in the manner shown with 
the circle indicated by a dotted line to the circle indicated 
5 by a solid line, so that a probability that the forged au- 
thenticator is by mistake recognized as the genuine au- 
thenticator is reduced. 

[0065] However, as the block length of the authenti- 
cator depends on the processing block length of a hash 
io function, the block length of the authenticator cannot be 
easily made longer. 

[0066] Therefore, in the present invention, as shown 
in Fig. 6 A, a forged space is made smaller by making 
use of a plurality of keys, so that the probability that the 

'5 forged authenticator is by mistake recognized as the 
genuine authenticator is reduced. More specifically, as- 
suming in Fig. 6 A that a forged-text space on the text 
space M when the key K1 is used is M1, that a forged 
text space on the text space M when the key K2 is used 

20 is M2, and that a forged text space on the text space M 
when the key K3 is used is M3, and when the keys K1, 
K2, and K3 according to the present invention are used, 
the space for forgery is a space for forgery M123 which 
is extremely small and it is the area commonly shared 

25 by the spaces for forgery M1 , M2, and M3, thus a prob- 
ability that the data can be forged becomes still smaller 
[0067] As described above, in the present invention, 
the signing station creates a plurality of authenticators 
using a plurality of one-way functions and then links 

30 these plurality of authenticators to the electronic data, 
while the certifying station compares the authenticators 
created from the electronic data which is separated from 
the received data with the authenticators included in this 
received data, and verifies whether the electronic data 

35 is a forged one or not. Therefore, with the present in- 
vention, even when the electronic data is a forged one, 
the probability of mis identification that the forged data 
may be erroneously recognized as an authentic data 
can greatly and easily be reduced, further, the probabil- 

40 ity of misidentification can be reduced through parallel 
processing without increasing the time required for pre- 
paring authenticators. 

[0068] Furthermore, if the authenticator is truncated 
using a truncator, the probability of misidentification of 

45 a forged authenticator can further be reduced without 
increasing the amount of data required for the authen- 
ticator to be appended to the electronic data. In addition, 
intermediate data obtained when the authenticator is 
created in a previous stage is used as the initial value 

50 in the next stage, which allows the probability of misi- 
dentification to further be reduced. 
[0069] The above description assumes that the object 
for processing is text data in a document. However, the 
present invention is not limited to the above case, but is 

55 also applicable to various types of multimedia data such 
as image data, video data, or audio data. In addition, 
although it has been described above that a hash func- 
tion is used as a one-way function, the present invention 
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is not limited to the above case, and any one-way func- 
tion other that the hash function may be used. 
[0070] Although the invention has been described 
with respect to a specific embodiment for a complete 
and clear disclosure, the appended claims are not to be 
thus limited but are to be construed as embodying all 
modifications and alternative constructions that may oc- 
cur to one skilled in the art which fairly fall within the 
basic teaching herein set forth. 



Claims 

1. An authentication system comprising: 

a signing station which creates an authenticator 
by applying a one-way function to information 
and then appends a signature generated from 
the authenticator to the information: 
a certifying station for checking the authentica- 
tion of the information from the authenticator in- 
cluded in the data received from said signing 
station; 

wherein said signing station has, 

a first authenticator creating unit or dividing the 
information into a plurality of data each having 
a prespecified length, and creating a plurality 
of authenticators by applying a different one- 
way function to each of the data; and 
a linking unit for linking the plurality of authen- 
ticators created in said first authenticator creat- 
ing unit to the information; 

and said certifying station has, 

a separating unit for separating the information 
and the plurality of authenticators from the data 
received from said signing station; 
a second authenticator creating unit for dividing 
the information separated by said separating 
unit into a plurality of data each having a pre- 
specified length, and creating a plurality of au- 
thenticators by applying a different one-way 
function to each of the data; and 
a certifying unit for comparing the plurality of 
authenticators created by said second authen- 
ticator creating unit with the plurality of authen- 
ticators separated from the information by said 
separating unit, and checking the authentica- 
tion of the information. 

2. An authentication system according to Claim 1; 
wherein said linking unit links the authenticators ob- 
tained by truncating the authenticators created by 
said first authenticator creating unit to the informa- 
tion, and 
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said certifying unit compares the authentica- 
tors obtained by truncating the authenticators cre- 
ated by said second authenticator creating unit to- 
the authenticators separated from the information 
5 by said separating unit and checking the authenti- 
cation of the information. 

3. An authentication system according to Claim 2; 
wherein said first authenticator creating unit and 

io said second authenticator creating unit create a first 
authenticator by subjecting first data to a one-way 
operation using a first key, and prepare a second 
authenticator by subjecting second data to a one- 
way operation using a second key. 

15 

4. An authentication system according to Claim 3; 
wherein each of said first authenticator creating unit 
and said second authenticator creating unit dis- 
cretely and independently creates the first authen- 

20 ticator and the second authenticator in parallel with 
each other. 

5. An authentication system according to Claim 3; 
wherein each of said first authenticator creating unit 

25 and said second authenticator creating unit utilize 
intermediate data when creating the second au- 
thenticator, which intermediate data is generated 
when the first authenticator is created. 

30 6. An authentication method applied in an authentica- 
tion system, wherein said authentication system 
has a signing station which creates an authenticator 
by applying a one-way function to information and 
then appends a signature generated from the au- 

35 thenticator to the information, and a certifying sta- 
tion for checking the authentication of the informa- 
tion from the authenticator included in the data re- 
ceived from said signing station; wherein 

40 said signing station executes, 

a first authenticator creating step of dividing the 
information into a plurality of data each having 
a prespecified length, and creating a plurality 
of authenticators by applying a different one- 

45 way function to each of the data; and 

a transmitting step of linking the plurality of au- 
thenticators created in said first authenticator 
creating step to the information and transmit- 
ting the information to the certifying station; and 

so said certifying station executes, 

a separating step of separating the information 
and the plurality of authenticators from the data 
received from said signing station; 
a second authenticator creating step of dividing 

55 the information separated in said separating 

step into a plurality of data each having a pre- 
specified length, and creating a plurality of au- 
thenticators by applying a different one-way 
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function to each of the data; and 
a certifying step of comparing the plurality of 
authenticators created in said second authen- 
ticates creating step with the plurality of authen- 
ticators separated from the information in said 
separating step, and checking the authentica- 
tion of the information. 

7. An authentication method according to Claim 6; 
wherein said transmitting step comprises a step of 
linking the authenticators obtained by truncating the 
authenticators created in said first authenticator 
creating step to the information, and 

said certifying step comprises a step of com- 
paring the authenticator obtained by truncating the 
authenticators created in said second authenticator 
creating step to the authenticators separated from 
the information in said separating step and a step 
of checking the authentication of the information. 

8. An authentication method according to Claim 7; 
wherein said first authenticator creating step and 
said second authenticator creating step comprise a 
step of creating a first authenticator by subjecting 
first data to a one-way operation using a first key, 
and a step of creating a second authenticator by 
subjecting second data to a one-way operation us- 
ing a second key. 

9. An authentication method according to Claim 8; 
wherein each of said first authenticator creating 
step and said second authenticator creating step 
comprise a step of discretely and independently 
creating the first authenticator and the second au- 
thenticator in parallel with each other. 

10. An authentication system according to Claim 8; 
wherein each of said first authenticator creating 
step and said second authenticator creating step 
comprise a step of utilizing intermediate data when 
creating the second authenticator, which intermedi- 
ate data is generated when the first authenticator is 
created. 

1 1 . A software program for making a computer execute 
an authentication method applied in an authentica- 
tion system, wherein said authentication system 
has a signing station which creates an authenticator 
by applying a one-way function to information and 
then appends a signature generated from the au- 
thenticator to the information, and a certifying sta- 
tion for checking the authentication of the informa- 
tion from the authenticator included in the data re- 
ceived from said signing station; wherein 

the program makes said signing station exe- 
cute, 

a first authenticator creating step of dividing the 



information into a plurality of data each having 
a prespecified length, and creating a plurality 
of authenticators by applying a different one- 
way function to each of the data; and 
5 a transmitting step of linking the plurality of au- 

thenticators created in said first authenticator 
creating step to the information and transmit- 
ting the information to the certifying station; and 
the program makes said certifying station exe- 
rt) cute, 

a separating step of separating the information 
and the plurality of authenticators from the data 
received from said signing station; 
a second authenticator creating step of dividing 
7 5 the information separated in said separating 

step into a plurality of data each having a pre- 
specified length, and creating a plurality of au- 
thenticators by applying a different one-way 
function to each of the data; and 
20 a certifying step of comparing the plurality of 

authenticators created in said second authen- 
ticator creating step with the plurality of authen- 
ticators separated from the information in said 
separating step, and checking the authentica- 
25 tion of the information. 

12. A signing apparatus which creates an authenticator 
by utilizing a key and applying a one-way function 
to information and then appends a signature to the 

30 information; said apparatus comprising: 

a dividing unit for dividing the information into 
a plurality of data; 

an authenticator creating unit for creating an 
35 authenticator by utilizing a key and applying a 

one-way function corresponding to each of the 
divided data; and 

a linking unit for linking the plurality of created 
authenticators to the information. 

40 

13. A signing apparatus which creates an authenticator 
by utilizing a key and applying a one-way function 
to information and then appends a signature to the 
information; said apparatus comprising: 

45 

a dividing unit for dividing the information into 
a plurality of data; 

an authenticator creating unit for repeating the 
creation of an authenticator by utilizing a key 

50 and applying a one-way function to one of the 

divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
function to desired intermediate data for which 
the one-way function has already been applied 

& as the next data; and 

a linking unit for linking the plurality of created 
authenticators to the information. 
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1 4. A certifying apparatus which creates an authentica- 
tes by utilizing a key and applying a one-way func- 
tion to information and then appends a signature to 
the information as well as checking the authentica- 
tion of the information; said apparatus comprising: 



1 5. A certifying apparatus which creates an authentica- 
tor by utilizing a key and applying a one-way func- 
tion to information and then appends a signature to 
the information as well as checking the authentica- 
tion of the information; said apparatus comprising: 

a separating unit for separating information and 
the plurality of authenticators from the data; 
a dividing unit for dividing the information into 
a plurality of data; 

an authenticator creating unit for repeating the 
creation of an authenticator by utilizing a key 
and applying a one-way function to one of the 
divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
function to desired intermediate data for which 
the one-way function has already been applied, 
as the next data; and 

a certifying unit for checking the authentication 
of the information based on each of the created 
authenticators and each of the separated au- 
thenticators. 

1 6. A software program for making a computer execute: 



creation of an authenticator by utilizing a key 
and applying a one-way function to one of the 
divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
5 function to a desired intermediate data the next 

data when the one-way function was applied; 
and 

a linking step of linking the plurality of created 
authenticators to the information. 

18. A software program for making a computer execute: 

a separating step of separating information and 
a plurality of authenticators from data; 
a dividing step of dividing the information into a 
plurality of data; 

an authenticator creating step of creating au- 
thenticators by utilizing a key and applying a 
one-way function corresponding to each of the 
divided data; and 

a certifying step of checking the authentication 
of the information based on each of the created 
authenticators and each of the separated au- 
thenticators. 

19. A software program for making a computer execute: 

a separating step of separating information and 
plurality of authenticators from data; 
a dividing step of dividing the information into a 
plurality of data; 

an authenticator creating step of repeating the 
creation of an authenticator by utilizing a key 
and applying a one-way function to one of the 
divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
function to a desired intermediate data the next 
data when the one-way function was applied; 
and 

a certifying step of checking the authentication 
of the information based on each of the created 
authenticators and each of the separated au- 
thenticators. 



aseparating unit for separating information and 
the plurality of authenticators from the data; 
a dividing unit for dividing the information into 
a plurality of data; 10 
an authenticator creating unit for creating au- 
thenticators by utilizing a key and applying a 
one-way function corresponding to each of the 
divided data; and 

a certifying unit for checking the authentication 15 
of the information based on each of the created 
authenticators and each of the separated au- 
thenticators. 



a dividing step of dividing information into a plu- 4S 
rality of data; 

an authenticator creating step of creating an 
authenticator by utilizing a key and applying a 
one-way function corresponding to each of the 
divided data; and so 
a linking step of linking the plurality of created 
authenticators to the information. 



17. A software program for making a computer execute: 

a dividing step of dividing information into a plu- 
rality of data; 

an authenticator creating step of repeating the 



20. A signing method in which an authenticator is cre- 
ated by utilizing a key and applying a one-way func- 
tion to information and then a signature is appended 
to the information; said method comprising: 

a dividing step of dividing information into a plu- 
rality of data; 

an authenticator creating step of creating au- 
thenticators by utilizing a key and applying a 
one-way function corresponding to each of the 
divided data; and 

a linking step of linking the plurality of created 
authenticators to the information. 



9 



9/18/2006, EAST Version: 2.1.0.14 



17 



EP 1 041 767 A2 



18 



21. A signing method in which an authenticates is cre- 
ated by utilizing a key and applying a one-way func- 
tion to information and then a signature is appended 
to the information; said method comprising: 



of the information based on each of the created 
authenticators and each of the separated au- 
thenticators. 

s 24. A computer readable recording medium on which is 
recorded a software program according to any one 
of claims 11, 16, 17, 18 or 19. 



a dividing step of dividing information into a plu- 
rality of data; 
an authenticate r creating step of repeating the 
creation of an authenticates by utilizing a key 
and applying a one-way function to one of the M> 
divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
function to a desired intermediate data the next 
data when the one-way function was applied; 
and is 
a linking step of linking the plurality of created 
authenticators to the information. 



22. A certifying method in which an authenticator is cre- 
ated by utilizing a key and applying a one-way tunc- 20 
tion to information and then a signature is appended 
to the information as well as the authentication of 
the information is checked; said method compris- 
ing: 

25 

a separating step of separating information and 
a plurality of authenticators from data; 
a dividing step of dividing the information into a 
plurality of data; 

an authenticator creating step of creating au- 30 
thenticators by utilizing a key and applying a 
one-way function corresponding to each of the 
divided data; and 

a certifying step of checking the authentication 
of the information based on each of the created 35 
authenticators and each of the separated au- 
thenticators. 



23. A certifying method in which an authenticator is cre- 
ated by utilizing a key and applying a one-way tunc- 40 
tion to information and then a signature is appended 
to the information as well as the authentication of 
the information is checked; said method compris- 
ing: 

45 

a separating step of separating information and 
plurality of authenticators from data; 
a dividing step of dividing the information into a 
plurality of data; 

an authenticator creating step of repeating the so 
creation of an authenticator by utilizing a key 
and applying a one-way function to one of the 
divided data as well as creation of an authenti- 
cator by utilizing a key and applying a one-way 
function to desired intermediate data, for which ss 
the one-way function has been applied, as the 
next data; and 

a certifying step of checking the authentication 
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FIG.5 
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FIG.6A 



PRESENT INVENTION 
TEXT SPACE M FORGED-TEXT 




THE KEY K3 FORGED-TEXT 

SPACE M 1,2,3 UNDER 
THE KEY K1,2,3 

FIG.6B 



CONVENTIONAL TYPE 
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